Lucene search
K

16 matches found

OSV
OSV
added 2025/11/24 5:16 p.m.7 views

CVE-2025-63433

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt,...

4.6CVSS5.8AI score0.00164EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/11/24 12:0 a.m.9 views

CVE-2025-63433

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt,...

0.00164EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2025/11/24 12:0 a.m.7 views

PT-2025-47947

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt,...

6.8AI score0.00164EPSS
Exploits1References3
CVE
CVE
added 2025/11/24 12:0 a.m.15 views

CVE-2025-63433

Summary of CVE-2025-63433 : Xtooltech Xtool AnyScan Android Application 4.40.40 and earlier uses a hardcoded cryptographic key and IV stored statically in code to decrypt update metadata. This enables an attacker who can intercept network traffic to use the hardcoded key to decrypt, modify, and r...

4.6CVSS6.4AI score0.00164EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2025/11/19 5:20 p.m.3 views

CVE-2025-34324

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying TLS channel. In affected versions, TLS certificate...

7.8CVSS7.6AI score0.00091EPSS
Exploits1References1
NVD
NVD
added 2025/11/18 5:16 p.m.2 views

CVE-2025-34324

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying TLS channel. In affected versions, TLS certificate...

7.8CVSS0.00091EPSS
Exploits1References4
OSV
OSV
added 2025/11/18 5:16 p.m.5 views

CVE-2025-34324

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying TLS channel. In affected versions, TLS certificate...

7.8CVSS6.3AI score0.00091EPSS
Exploits1References4
Cvelist
Cvelist
added 2025/11/18 4:33 p.m.6 views

CVE-2025-34324 GoSign Desktop < 2.4.1 Insecure Update Mechanism RCE

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying TLS channel. In affected versions, TLS certificate...

7CVSS0.00091EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2025/11/18 4:33 p.m.1 views

CVE-2025-34324 GoSign Desktop < 2.4.1 Insecure Update Mechanism RCE

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying TLS channel. In affected versions, TLS certificate...

7CVSS7.3AI score0.00091EPSS
Exploits1References4
EUVD
EUVD
added 2025/11/18 4:33 p.m.3 views

EUVD-2025-198033

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying TLS channel. In affected versions, TLS certificate...

7CVSS7.1AI score0.00091EPSS
Exploits1References5
CNNVD
CNNVD
added 2025/11/18 12:0 a.m.4 views

GoSign Desktop 安全漏洞

GoSign Desktop is an electronic document signing software from GoSign Lithuania. A security vulnerability exists in GoSign Desktop version 2.4.0 and prior versions, which stems from the fact that the update manifest is unsigned and TLS certificate validation can be disabled, which could lead to...

7.8CVSS7.6AI score0.00091EPSS
Exploits1References5
OSV
OSV
added 2025/11/12 7:18 p.m.2 views

MAL-2025-173406 Malicious code in buta-fbobna-giodaiaif (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aec892b68bc3ff0f73446293d7ebf7f00698a43128d568b62c81ecddcebbb8bb This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/12 6:0 p.m.3 views

Malicious code in eimearobrien (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec779ca800ab1240e0639454e07958720575e4de5269ddc892aae569f84619a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
OSV
OSV
added 2025/11/11 7:38 a.m.1 views

MAL-2025-101064 Malicious code in creepy_caterpillar_amethyst-53 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3ed330a1bc3a12b700c5903bd85258e82da4923d5909f184aa04ed76d19268b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
OSV
OSV
added 2020/06/11 5:15 p.m.4 views

CVE-2020-11614

Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace...

8.1CVSS7.3AI score0.00392EPSS
Exploits1References2
NVD
NVD
added 2020/06/11 5:15 p.m.12 views

CVE-2020-11614

Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace...

8.1CVSS0.00392EPSS
Exploits1References2
Rows per page
Query Builder